From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com,
Kuniyuki Iwashima <kuniyu@google.com>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.16 049/183] Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Date: Sun, 7 Sep 2025 21:57:56 +0200 [thread overview]
Message-ID: <20250907195616.944411977@linuxfoundation.org> (raw)
In-Reply-To: <20250907195615.802693401@linuxfoundation.org>
6.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
syzbot reported the splat below without a repro.
In the splat, a single thread calling bt_accept_dequeue() freed sk
and touched it after that.
The root cause would be the racy l2cap_sock_cleanup_listen() call
added by the cited commit.
bt_accept_dequeue() is called under lock_sock() except for
l2cap_sock_release().
Two threads could see the same socket during the list iteration
in bt_accept_dequeue():
CPU1 CPU2 (close())
---- ----
sock_hold(sk) sock_hold(sk);
lock_sock(sk) <-- block close()
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- refcnt by bt_accept_enqueue()
release_sock(sk)
lock_sock(sk)
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- last refcnt
bt_accept_unlink(sk) <-- UAF
Depending on the timing, the other thread could show up in the
"Freed by task" part.
Let's call l2cap_sock_cleanup_listen() under lock_sock() in
l2cap_sock_release().
[0]:
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
spin_lock_bh include/linux/spinlock.h:356 [inline]
release_sock+0x21/0x220 net/core/sock.c:3746
bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2accf8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
</TASK>
Allocated by task 5326:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
sk_alloc+0x36/0xc20 net/core/sock.c:2295
bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
hci_event_func net/bluetooth/hci_event.c:7519 [inline]
hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 16995:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2417 [inline]
slab_free mm/slub.c:4680 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4879
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
sk_destruct+0xc2/0xf0 net/core/sock.c:2401
__sk_free+0xf4/0x3e0 net/core/sock.c:2412
sk_free+0x6a/0x90 net/core/sock.c:2423
sock_put include/net/sock.h:1960 [inline]
bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 82d943c4cb505..05b7480970f72 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1422,7 +1422,10 @@ static int l2cap_sock_release(struct socket *sock)
if (!sk)
return 0;
+ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
l2cap_sock_cleanup_listen(sk);
+ release_sock(sk);
+
bt_sock_unlink(&l2cap_sk_list, sk);
err = l2cap_sock_shutdown(sock, SHUT_RDWR);
--
2.50.1
next prev parent reply other threads:[~2025-09-07 20:39 UTC|newest]
Thread overview: 200+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-07 19:57 [PATCH 6.16 000/183] 6.16.6-rc1 review Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 001/183] btrfs: fix race between logging inode and checking if it was logged before Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 002/183] btrfs: fix race between setting last_dir_index_offset and inode logging Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 003/183] btrfs: avoid load/store tearing races when checking if an inode was logged Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 004/183] ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 005/183] ASoC: rsnd: tidyup direction name on rsnd_dai_connect() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 006/183] ASoC: SOF: Intel: WCL: Add the sdw_process_wakeen op Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 007/183] ALSA: usb-audio: Allow Focusrite devices to use low samplerates Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 008/183] LoongArch: Save LBT before FPU in setup_sigcontext() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 009/183] LoongArch: Add cpuhotplug hooks to fix high cpu usage of vCPU threads Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 010/183] cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 011/183] drm/amd/display: Dont warn when missing DCE encoder caps Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 012/183] cpupower: Fix a bug where the -t option of the set subcommand was not working Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 013/183] Bluetooth: hci_sync: Avoid adding default advertising on startup Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 014/183] drm/rockchip: vop2: make vp registers nonvolatile Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 015/183] btrfs: clear block dirty if submit_one_sector() failed Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 016/183] btrfs: zoned: skip ZONE FINISH of conventional zones Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 017/183] platform/x86/amd: pmc: Drop SMU F/W match for Cezanne Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 018/183] fs: writeback: fix use-after-free in __mark_inode_dirty() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 019/183] tee: fix NULL pointer dereference in tee_shm_put Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 020/183] tee: fix memory leak in tee_dyn_shm_alloc_helper Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 021/183] arm64: dts: rockchip: mark eeprom as read-only for Radxa E52C Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 022/183] arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 023/183] tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 024/183] arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 025/183] arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 026/183] arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 027/183] arm64: dts: rockchip: Fix the headphone detection on the orangepi 5 plus Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 028/183] arm64: dts: rockchip: Add supplies for eMMC on rk3588-orangepi-5 Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 029/183] ARM: dts: microchip: sama7d65: Force SDMMC Legacy mode Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 030/183] wifi: cfg80211: fix use-after-free in cmp_bss() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 031/183] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 032/183] wifi: mt76: mt7921: dont disconnect when CSA to DFS chan Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 033/183] wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 034/183] wifi: mt76: prevent non-offchannel mgmt tx during scan/roc Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 035/183] wifi: mt76: mt7996: disable beacons when going offchannel Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 036/183] wifi: mt76: mt7996: use the correct vif link for scanning/roc Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 037/183] wifi: mt76: mt7996: add missing check for rx wcid entries Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 038/183] wifi: mt76: mt7915: fix list corruption after hardware restart Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 039/183] wifi: mt76: free pending offchannel tx frames on wcid cleanup Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 040/183] wifi: mt76: fix linked list corruption Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 041/183] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 042/183] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 043/183] wifi: iwlwifi: if scratch is ~0U, consider it a failure Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 044/183] wifi: iwlwifi: acpi: check DSM func validity Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 045/183] wifi: iwlwifi: uefi: check DSM item validity Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 046/183] wifi: iwlwifi: cfg: restore some 1000 series configs Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 047/183] wifi: iwlwifi: cfg: add back more lost PCI IDs Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 048/183] Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Greg Kroah-Hartman
2025-09-07 19:57 ` Greg Kroah-Hartman [this message]
2025-09-07 19:57 ` [PATCH 6.16 050/183] netfilter: nft_flowtable.sh: re-run with random mtu sizes Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 051/183] net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.16 052/183] xirc2ps_cs: fix register access when enabling FullDuplex Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 053/183] ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 054/183] mISDN: Fix memory leak in dsp_hwec_enable() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 055/183] selftests: drv-net: csum: fix interface name for remote host Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 056/183] bnxt_en: fix incorrect page count in RX aggr ring log Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 057/183] icmp: fix icmp_ndo_send address translation for reply direction Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 058/183] eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 059/183] net: macb: Fix tx_ptr_lock locking Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 060/183] macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 061/183] net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 062/183] net: mctp: mctp_fraq_queue should take ownership of passed skb Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 063/183] net: mctp: usb: initialise mac header in RX path Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 064/183] net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 065/183] ice: fix NULL access of tx->in_use in ice_ptp_ts_irq Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 066/183] ice: fix NULL access of tx->in_use in ice_ll_ts_intr Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 067/183] idpf: set mac type when adding and removing MAC filters Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 068/183] i40e: remove read access to debugfs files Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 069/183] i40e: Fix potential invalid access when MAC list is empty Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 070/183] ixgbe: fix incorrect map used in eee linkmode Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 071/183] wifi: ath12k: Set EMLSR support flag in MLO flags for EML-capable stations Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 072/183] wifi: ath11k: fix group data packet drops during rekey Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 073/183] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 074/183] net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 075/183] vxlan: Fix NPD when refreshing an FDB entry with a nexthop object Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 076/183] vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 077/183] wifi: cw1200: cap SSID length in cw1200_do_join() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 078/183] wifi: libertas: cap SSID len in lbs_associate() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 079/183] wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 080/183] tools: ynl-gen: fix nested array counting Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 081/183] net: remove sock_i_uid() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 082/183] net: lockless sock_i_ino() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 083/183] net: thunder_bgx: add a missing of_node_put Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 084/183] net: thunder_bgx: decrement cleanup index before use Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 085/183] ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 086/183] net/smc: Remove validation of reserved bits in CLC Decline message Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 087/183] mctp: return -ENOPROTOOPT for unknown getsockopt options Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 088/183] ax25: properly unshare skbs in ax25_kiss_rcv() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 089/183] selftests: netfilter: fix udpclash tool hang Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 090/183] netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 091/183] net: atm: fix memory leak in atm_register_sysfs when device_register fail Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 092/183] net: xilinx: axienet: Add error handling for RX metadata pointer retrieval Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 093/183] ppp: fix memory leak in pad_compress_skb Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 094/183] selftest: net: Fix weird setsockopt() in bind_bhash.c Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 095/183] phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 096/183] ALSA: usb-audio: Add mute TLV for playback volumes on some devices Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 097/183] accel/ivpu: Prevent recovery work from being queued during device removal Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 098/183] ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 099/183] arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 100/183] pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 101/183] rust: mm: mark VmaNew as transparent Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 102/183] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 103/183] x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 104/183] mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 105/183] mm: fix accounting of memmap pages Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 106/183] mm: move page table sync declarations to linux/pgtable.h Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 107/183] mm: introduce and use {pgd,p4d}_populate_kernel() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 108/183] mm: fix possible deadlock in kmemleak Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 109/183] mm: slub: avoid wake up kswapd in set_track_prepare Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 110/183] sched: Fix sched_numa_find_nth_cpu() if mask offline Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 111/183] kasan: fix GCC mem-intrinsic prefix with sw tags Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.16 112/183] kunit: kasan_test: disable fortify string checker on kasan_strings() test Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 113/183] ocfs2: prevent release journal inode after journal shutdown Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 114/183] proc: fix missing pde_set_flags() for net proc files Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 115/183] of_numa: fix uninitialized memory nodes causing kernel panic Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 116/183] soc: qcom: mdt_loader: Deal with zero e_shentsize Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 117/183] wifi: mac80211: do not permit 40 MHz EHT operation on 5/6 GHz Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 118/183] wifi: mwifiex: Initialize the chan_stats array to zero Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 119/183] wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 120/183] wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 121/183] wifi: mt76: mt7925: fix the wrong bss cleanup for SAP Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 122/183] wifi: mt76: mt7925: skip EHT MLD TLV on non-MLD and pass conn_state for sta_cmd Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 123/183] net: ethernet: oa_tc6: Handle failure of spi_setup Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 124/183] spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 125/183] drm/xe: Fix incorrect migration of backed-up object to VRAM Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 126/183] drm/amdgpu: drop hw access in non-DC audio fini Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 127/183] drm/amdgpu/mes11: make MES_MISC_OP_CHANGE_CONFIG failure non-fatal Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 128/183] drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 129/183] drm/amdgpu/sdma: bump firmware version checks for user queue support Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 130/183] platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 131/183] scsi: lpfc: Fix buffer free/clear order in deferred receive path Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 132/183] nouveau: fix disabling the nonstall irq due to storm code Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 133/183] nouveau: Membar before between semaphore writes and the interrupt Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 134/183] audit: fix out-of-bounds read in audit_compare_dname_path() Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 135/183] batman-adv: fix OOB read/write in network-coding decode Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 136/183] cifs: prevent NULL pointer dereference in UTF16 conversion Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 137/183] e1000e: fix heap overflow in e1000_set_eeprom Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 138/183] net: dsa: mv88e6xxx: Fix fwnode reference leaks in mv88e6xxx_port_setup_leds Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 139/183] net: pcs: rzn1-miic: Correct MODCTRL register offset Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 140/183] microchip: lan865x: Fix module autoloading Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 141/183] microchip: lan865x: Fix LAN8651 autoloading Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 142/183] drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 143/183] rust: support Rust >= 1.91.0 target spec Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 144/183] ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 145/183] ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 146/183] ALSA: hda: tas2781: fix tas2563 EFI data endianness Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 147/183] ALSA: hda: tas2781: reorder tas2563 calibration variables Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 148/183] pcmcia: omap: Add missing check for platform_get_resource Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 149/183] pcmcia: Add error handling for add_interval() in do_validate_mem() Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 150/183] platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 151/183] platform/x86: asus-wmi: Fix racy registrations Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 152/183] platform/x86: acer-wmi: Stop using ACPI bitmap for platform profile choices Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 153/183] platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 154/183] hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 155/183] hwmon: (ina238) Correctly clamp temperature Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 156/183] scsi: sr: Reinstate rotational media flag Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 157/183] spi: spi-fsl-lpspi: Fix transmissions when using CONT Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 158/183] spi: spi-fsl-lpspi: Set correct chip-select polarity bit Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 159/183] spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 160/183] spi: spi-fsl-lpspi: Clear status register after disabling the module Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 161/183] hwmon: (ina238) Correctly clamp shunt voltage limit Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 162/183] hwmon: (ina238) Correctly clamp power limits Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 163/183] drm/bridge: ti-sn65dsi86: fix REFCLK setting Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 164/183] perf bpf-event: Fix use-after-free in synthesis Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 165/183] perf bpf-utils: Constify bpil_array_desc Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 166/183] perf bpf-utils: Harden get_bpf_prog_info_linear Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 167/183] spi: spi-qpic-snand: unregister ECC engine on probe error and device remove Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 168/183] drm/amd/amdgpu: Fix missing error return on kzalloc failure Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 169/183] tools: gpio: remove the include directory on make clean Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 170/183] md/raid1: fix data lost for writemostly rdev Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 171/183] md: prevent incorrect update of resync/recovery offset Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.16 172/183] drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 173/183] ACPI: RISC-V: Fix FFH_CPPC_CSR error handling Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 174/183] riscv: Only allow LTO with CMODEL_MEDANY Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 175/183] riscv: uaccess: fix __put_user_nocheck for unaligned accesses Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 176/183] riscv: use lw when reading int cpu in new_vmalloc_check Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 177/183] riscv: use lw when reading int cpu in asm_per_cpu Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 178/183] riscv, bpf: use lw when reading int cpu in BPF_MOV64_PERCPU_REG Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 179/183] riscv, bpf: use lw when reading int cpu in bpf_get_smp_processor_id Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 180/183] riscv: kexec: Initialize kexec_buf struct Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 181/183] riscv: Fix sparse warning in __get_user_error() Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 182/183] riscv: Fix sparse warning about different address spaces Greg Kroah-Hartman
2025-09-07 20:00 ` [PATCH 6.16 183/183] Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Greg Kroah-Hartman
2025-09-08 1:49 ` [PATCH 6.16 000/183] 6.16.6-rc1 review Ronald Warsow
2025-09-08 3:41 ` Takeshi Ogasawara
2025-09-08 3:50 ` Florian Fainelli
2025-09-08 7:38 ` Achill Gilgenast
2025-09-08 9:25 ` Brett A C Sheffield
2025-09-08 11:31 ` Miguel Ojeda
2025-09-08 11:58 ` Peter Schneider
2025-09-08 15:02 ` Jon Hunter
2025-09-08 18:20 ` Justin Forbes
2025-09-08 22:35 ` Shuah Khan
2025-09-09 4:57 ` Dileep malepu
2025-09-09 5:47 ` Ron Economos
2025-09-09 8:14 ` Naresh Kamboju
2025-09-09 11:21 ` Mark Brown
2025-09-09 17:26 ` Christian Heusel
2025-09-09 17:48 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250907195616.944411977@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuniyu@google.com \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).